Oklahoma Legislature files privacy law focused on data protection and national security concerns

Lock sitting on a laptop keyboard

Earlier this year we provided updates on Oklahoma House Bill 1602 (HB 1602), a bipartisan proposal that received national press for being one of the most stringent privacy laws proposed or enacted by a state legislature. Over the summer, HB 1602 hit roadblocks in the Oklahoma Senate and was not enacted into law.

On September 9, 2021, the same representatives that proposed HB 1602 – Majority Leader Rep. Josh West, R-Grove, and Rep. Collin Walke, D-Oklahoma City – filed the Oklahoma Computer Data Privacy Act of 2022 or House Bill 2968 (HB 2968), once again seeking to enact consumer privacy legislation for the state. With this revised proposal, the representatives cite national security concerns as a driving force for new proposed statutory protections of the data of Oklahoma residents. House Bill 2968 can be read online here.

If passed, HB 2968 would mandate significant privacy and security requirements for specific types of businesses operating or doing business in Oklahoma. These include the creation and disclosure of privacy policies, limitations on the collection, use and retention of consumer information, and the implementation and maintenance of security procedures, practices and safeguards. HB 2968 also creates consumer privacy rights for Oklahoma residents that require consumer “opt-in” prior to the collection, use and sale of information, a consumer right to request information from businesses about what information they have collected, used or shared, and the consumer right to have certain information deleted.

HB 2968 provides that the Oklahoma Attorney General shall be responsible for enforcing the Oklahoma Computer Data Privacy Act of 2022. Companies that are found to violate the law would be liable for injunctive relief, statutory damages up to $7,500 for intentional violations and $2,500 for unintentional violations, and punitive damages if requested by the Attorney General. HB 2968 does not provide an explicit right for consumers to sue in their own private actions.

If passed during the 2022 legislative session, this new privacy law would become effective on Nov. 1, 2023, providing businesses approximately one year to update their practices to comply with the requirements of HB 2968. Notably, HB 1602 will also be considered during the 2022 legislative session, providing Oklahoma lawmakers with two proposed laws for Oklahoma consumer data regulation. In a joint press release announcing HB 2968, co-author West noted that the “[t]he importance of data privacy legislation cannot be overstated” and “[b]ecause data privacy is clearly a matter of personal, state and national security, we cannot wait any longer for implementation.” Co-author Walke reiterated this sentiment, stating Oklahoma “must be part of the solution and not the problem.”

As a result, and as the Oklahoma Computer Data Privacy Act of 2022 moves through the legislative process, businesses should assess and address the privacy policies and security safeguards that protect their consumers and impact Oklahoma residents.

From general inquiries to drafting, implementing and training your workforce, McAfee & Taft can help you navigate these and other cybersecurity issues using decades of experience and a collection of best practices and resources. For more information on these and other privacy law and cybersecurity issues questions, please feel free to contact one of our Data Privacy and Cybersecurity attorneys.